MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 df24f7a07b85a3e878b8dfd7df926a1c613bbf99d070bc60fcbde5c2fc1d6209. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 11

Intelligence 11 IOCs YARA 6 File information Comments

SHA256 hash:	df24f7a07b85a3e878b8dfd7df926a1c613bbf99d070bc60fcbde5c2fc1d6209
SHA3-384 hash:	b3cacaa8efdbc2b55d69127815dbc760a15020f44e40e5405e9badd62b7daea9a6184b42d7d7e0974f6861ffc692803f
SHA1 hash:	0f2b1c4f31477c2cfc825f2e6c0ba4959e93f0b6
MD5 hash:	3974314d6d596534c068fcaa526acc57
humanhash:	bluebird-whiskey-ack-vermont
File name:	INV00384929.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	796'672 bytes
First seen:	2020-10-13 07:20:02 UTC
Last seen:	2020-10-13 08:21:47 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'746 x AgentTesla, 19'628 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:0PyM+HobyIWVeXcpoJn3WfSaNCWgjMbboEjOVVlqUo5tY:0KftS+PibqUo7
Threatray	10'621 similar samples on MalwareBazaar
TLSH	3905E07B72E9AB26E07E9B7D082050840BF3E64BF327D5993DF941E80556FD503B2A12
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing AgentTesla:

HELO: box0.samdem-global.com
Sending IP: 194.87.138.123
From: "Kristýna Veselý" <krisyvesely@centrum.cz>
Subject: Žádost o nabídku produktu
Attachment: INV00384929.rar (contains "INV00384929.exe")

AgentTesla SMTP exfil server:
mail.dogulumetal.com:587

Intelligence

File Origin

# of uploads :

# of downloads :

101

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV2

Link:

https://www.capesandbox.com/analysis/70306/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.445.12365.16688.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file

Creating a window

Sending a UDP request

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Creating a file in the %temp% directory

Launching a process

Creating a process with a hidden window

Deleting a recently created file

Unauthorized injection to a recently created process

Enabling autorun by creating a file

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/489293

Signature

Found malware configuration

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Scheduled temp file as task from temp location

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AgentTesla

Yara detected AntiVM_3

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/df24f7a07b85a3e878b8dfd7df926a1c613bbf99d070bc60fcbde5c2fc1d6209/

Threat name:

ByteCode-MSIL.Spyware.Noon

Status:

Malicious

First seen:

2020-10-13 01:18:57 UTC

AV detection:

21 of 29 (72.41%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=34sppid3qwr6q6fy37l57etkdrqtxp4z2bylyyh4xxs4f7a5mieq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

52d7bfc971d3f5909eed410680570736d02dc79f93b42e1627a78597205ef862

AgentTesla

6b24da236543d38133dc41cadcf3dea51bc290479b3d669031a2c8668a620648

AgentTesla

7475282fc3b82d0f60ccf30aba39303bc16c9a7a314382560a300dca7257d9f9

AgentTesla

878b1afca7f6abb75868553fe02bfc0a2a09f9f9f72e1f9386f31f5abb9f5805

AgentTesla

9913754d30b7cf04988adc1cb3d04fd3822958908216bd48df128df2a653f8cf

AgentTesla

9c2c04c0f5948c88fd2080f911ff1fadaf42102b513249ddc0ea867d71772fab

AgentTesla

b6dac3c563e7b771fa56992d6c5ac321278e8ff4653b5f50f283855e672cdb3d

AgentTesla

d9f4c10febc99ea723d7f3f13d92be6bd54fc18eab233e5b28c5bcff0f3c1e1e

AgentTesla

e81d6248c4a2573bb76f309ae753dcea56596aec8c516d22509e479cce758e8b

AgentTesla

+ 10'611 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

keylogger stealer spyware trojan family:agenttesla

Link:

https://tria.ge/reports/201013-akjb4ge2tn/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

df24f7a07b85a3e878b8dfd7df926a1c613bbf99d070bc60fcbde5c2fc1d6209

MD5 hash:

3974314d6d596534c068fcaa526acc57

SHA1 hash:

0f2b1c4f31477c2cfc825f2e6c0ba4959e93f0b6

Link:

https://www.unpac.me/results/68394d99-519b-4071-8bd1-ef0e363d3aec/

SH256 hash:

13b24d3a09d099dabe41cd6cd71607a77e14640b1e9b4ed2d60f6c012f191c43

MD5 hash:

109cedae3c384a1913107f1efad2b7c8

SHA1 hash:

1f7f35b0ed85fa12bb839cbce698e59a30813420

Link:

https://www.unpac.me/results/68394d99-519b-4071-8bd1-ef0e363d3aec/

SH256 hash:

13fc291be8e8d1ed194f4c685d19decc6484cadfad6b5dc23a6909c3e4488f6d

MD5 hash:

dab29dfe83fdbd265160f01929e455f0

SHA1 hash:

5b392e6995200e71c09be9d5a157ebe6dd5817aa

Detections:

win_agent_tesla_w1

Link:

https://www.unpac.me/results/68394d99-519b-4071-8bd1-ef0e363d3aec/

Parent samples :

df24f7a07b85a3e878b8dfd7df926a1c613bbf99d070bc60fcbde5c2fc1d6209
ce0e3fc93d62dce8c30d501addb15d0d71005534a98aed47478a173791fe5405
08f3f7280c691d1caf4395d6201382f43d047bb7ac92d4178c62b1a9c657861b
0906f092a4c0ccb3f7e2b737bcaea272eecbf01a2d5a0056b9550db05e7ee73e
7b369fd0996c226be39abc33e7727f13ccd9435d00321d49b7f81ca4f93b6a9c

SH256 hash:

814585389e02bd6d92245746ead51eb5d806fde047a21e1fdc46a3d1c94dc260

MD5 hash:

eaa820ba2fae91aa817421b6e7e4ce61

SHA1 hash:

6880b316e0e4f62466a58a3525f052ae9aeab530

Link:

https://www.unpac.me/results/68394d99-519b-4071-8bd1-ef0e363d3aec/

SH256 hash:

52be73335474ef167ab2b1cd22bc0c9b7a302f884eb057a1acfd518b6d22a5cb

MD5 hash:

8ae866714d406f7215e76e1ea8a33a48

SHA1 hash:

fb0ed52c861fc8562064ee0b6dfaa64a1f13f76d

Link:

https://www.unpac.me/results/68394d99-519b-4071-8bd1-ef0e363d3aec/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/df24f7a07b85a3e878b8dfd7df926a1c613bbf99d070bc60fcbde5c2fc1d6209

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AgentTesla_extracted_bin Create hunting rule
Author:	James_inthe_box
Description:	AgentTesla extracted

Rule name:	AgentTesla_mod_tough_bin Create hunting rule
Author:	James_inthe_box
Reference:	https://app.any.run/tasks/3b5d409c-978b-4a95-a5f1-399f0216873d/

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar